Vulnerabilities in electronic systems that control prison doors could allow hackers or others to spring prisoners from their jail cells, according to researchers.

Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country’s top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.

Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. — including eight maximum-security prisons — says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.

“Most people don’t know how a prison or jail is designed, that’s why no one has ever paid attention to it,” says Strauchs. “How many people know they’re built with the same kind of PLC used in centrifuges?”

PLCs are small computers that can be programmed to control any number of things, such as the spinning of rotors, the dispensing of food into packaging on an assembly line or the opening of doors. Two models of PLCs made by the German-conglomerate Siemens were the target of Stuxnet, a sophisticated piece of malware discovered last year that was designed to intercept legitimate commands going to PLCs and replace them with malicious ones. Stuxnet’s malicious commands are believed to have caused centrifuges in Iran to spin faster and slower than normal to sabotage the country’s uranium enrichment capabilities.

Though Siemens PLCs are used in some prisons, they’re a relatively small player in that market, Strauchs says. The more significant suppliers of PLCs to prisons are Allen-Bradley, Square D, GE and Mitsubishi. Across the U.S. there are about 117 federal correctional facilities, 1,700 prisons, and more than 3,000 jails. All but the smallest facilities, according to Strauchs, use PLCs to control doors and manage their security systems.

Strauchs, who lists a stint as a former CIA operations officer on his bio, became interested in testing PLCs after hearing about the systems Stuxnet targeted and realizing that he had installed similar systems in prisons years ago. He, along with his daughter Tiffany Rad, president of ELCnetworks, and independent researcher Teague Newman, purchased a Siemens PLC to examine it for vulnerabilities, then worked with another researcher, who prefers to remain anonymous and goes by the handle “Dora the SCADA explorer,” who wrote three exploits for vulnerabilities they found.

“Within three hours we had written a program to exploit the [Siemens] PLC we were testing,” said Rad, noting that it cost them just $2,500 to acquire everything they needed to research the vulnerabilities and develop the exploits.

“We acquired the product legally; we have a license for it. But it’s easy to get it off [eBay] for $500,” she said. “Anyone can do it if they have the desire.”

They recently met with the FBI and other federal agencies they won’t name to discuss the vulnerabilities and their upcoming demonstration.

“They agreed we should address it,” Strauchs said. “They weren’t happy, but they said it’s probably a good thing what you’re doing.”

Strauchs says the vulnerabilities exist in the basic architecture of the prison PLCs, many of which use Ladder Logic programming and a communications protocol that had no security protections built into it when it was designed years ago. There are also vulnerabilities in the control computers, many of which are Windows-based machines, that monitor and program PLCs.

“The vulnerabilities are inherently due to the actual use of the PLC, the one-point-controlling-many,” Rad said. “Upon gaining access to the computer that monitors, controls or programs the PLC, you then take control of that PLC.”

A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet, Strauchs claims. He and his team recently toured a prison control room at the invitation of a correctional facility in the Rocky Mountain region and found a staffer reading his Gmail account on a control system connected to the internet. There are also other computers in non-essential parts of prisons, such as commissaries and laundry rooms, that shouldn’t be, but sometimes are, connected to networks that control critical functions.

“Bear in mind, a prison security electronic system has many parts beyond door control such as intercoms, lighting control, video surveillance, water and shower control, and so forth,” the researchers write in a paper they’ve released (.pdf) on the topic. “Access to any part, such as a remote intercom station, might provide access to all parts.”

Strauchs adds that “once we take control of the PLC we can do anything. Not just open and close doors. We can absolutely destroy the system. We could blow out all the electronics.”

Prison systems have a cascading release function so that in an emergency, such as a fire, when hundreds of prisoners need to be released quickly, the system will cycle through groups of doors at a time to avoid overloading the system by releasing them all at once. Strauchs says a hacker could design an attack to over-ride the cascade release to open all of the doors simultaneously and overload the system.

An attacker could also pick and choose specific doors to lock and unlock and suppress alarms in the system that would alert staff when a cell is opened. This would require some knowledge of the alarm system and the instructions required to target specific doors, but Strauchs explains that the PLC provides feedback to the control system each time it receives a command, such as “kitchen door east opened.” A patient hacker could sit on a control system for a while collecting intelligence like this to map each door and identify which ones to target.

While PLCs themselves need to be better secured to eliminate vulnerabilities inherent in them, Newman says prison facilities also need to update and enforce acceptable-use policies on their computers so that workers don’t connect critical systems to the internet or allow removable media, such as USB sticks, to be installed on them.

“We’re making the connection closer between what happened with Stuxnet and what could happen in facilities that put lives at risk,” he said.